NEW YORK CITY — Users remain the principal weak link in IT infrastructure and as a result, IT is not confident they can meet regulatory requirements for securing unstructured data. Those are the findings of a new report, “File Sharing and Collaboration Leads to Security Gaps in Financial Services Firms.” The data come from an online survey conducted with 200 U.S. based IT professionals in the financial services industry.
“The more we make technology stronger and stronger, the more people become the weakest link,” said Alex Manea, Chief Security Officer, BlackBerry. “There are no style points in hacking. It exploits people’s weaknesses rather than technology’s weaknesses.”
The survey results emphasize the persistence of a key problem — that really effective security can become a pain to users, which they in turn will try and work around. That’s why the survey found that over a-third of respondents said their organization has employees using file-sharing applications that are not approved by IT, which they use as shortcuts. As a result, a third were only “somewhat confident” or “not at all confident” about their ability to meet regulatory requirements — despite having policies covering unstructured data.
“I see a constant tug of war between usability and security,” said John Chen, BlackBerry’s Executive Chairman and CEO. “On one hand, you want a system that’s completely safe. On the other, you want one that’s productive. However, productivity has to tie to individual usability. If you have a system that makes you change the password twelve times, and use special characters and capital letters, it all becomes unmanageable. If technology makes me uncomfortable signing on, I’m probably going to skip that. For instance, my company laptop asks me to do one more level of VPN and I don’t want to do that in a hotel room – so I don’t use my laptop, because it gets too cumbersome. I use my phone instead.”
The survey found that only 26 per cent of respondents reported a breach due to an external attack.
“This is the piece of data from the survey that is the most non-intuitive,” Manea said, “It certainly doesn’t reflect customer focus, meaning where they are spending their money. Most money is being focused on preventing external attacks through things like penetration testing and fixing vulnerabilities. It’s not being spent to the same degree on anti-phishing campaigns and general education.”
The breaches from internal sources stemmed from multiple factors. Seventeen per cent came from internal bad actors such as disgruntled employees. Eighteen per cent came from lost, stolen or unsecured devices. The remainder, over a quarter of the total, came from an inadvertent mistake like the accidental sharing of sensitive files.
Manea said that the best defenses haven’t changed.
“One is to deploy better and more secure technologies, for things like file sharing,” he said. “Our BlackBerry Workspaces product can securely transfer files across different endpoints, and is a cloud platform that can secure files on all the different endpoints, so IT can choose if files need to be encrypted, or password protected, or if they can be shared.”
Manea also said that many organizations still need to change basic attitudes towards security.
“Security still tends to be seen as something that’s a cost,” he stated. “We need to get people to see it as a business enabler, and to see the need to deploy better security solutions, and solutions that work better with users’ processes, so they aren’t compelled to do things they don’t like to do.”
Manea said that anti-phishing campaigns are fundamentally different from “NetNanny” software from the last decade, which has tended to fall into disuse because employees with any choice whatsoever tended not to want to work for companies that blocked them from visiting non-controversial sites they would visit at home.
“The difference is that that software prevented people from doing things they would normally do,” he said. “With anti- phishing campaigns, all you do is what external hackers would do, to teach the users how to respond to them.”
Tom Farley, President of the NYSE, a fairly recent BlackBerry customer and one of their recent high-profile wins, was a featured speaker at the morning keynote, and he indicated the NYSE has a comparatively tough response to executives who fail their anti-phishing tests — which can include withholding their bonuses!
“Usually the punishment for failing those tests is having to do more of them,” Manea said. “That’s what we ourselves do at BlackBerry. We target users who didn’t do well in testing for more education and more testing.”
BlackBerry sells consulting services around phishing and other social engineering through their cybersecurity division.
“This includes things like having someone walk into corporate environments pretending to be a trusted person, and see how far they can get into the network,” Manea said.